DOJ's "Community of Interest" Letters are Illegal

The Electronic Communications Privacy Act puts strict limits on when a telecommunications provider can hand over customer data to the government. Section 2702(A)(1) prohibits disclosure of the contents of a communication, and (A)(3) forbids the release of a "record or other information pertaining to a subscriber to or customer" other than the content covered by (A)(1). Thus, sections 2702(A)(1) and (A)(3) compliment one another, and together protect all records about a communication. Absent a specific statutory exception, it is flatly illegal for the telecoms to provide customer information to the government.

So the "community of interest" requests made as part of the "exigent letters" were doubly illegal. We need a new word for this -- what do you call an illegality piled on top of another illegality? Illegal squared?

And it doesn't stop there. Even if those "community of interest" requests had been part of a regular National Security Letter (NSL), they still would have been illegal. ECPA's NSL provision only authorizes the FBI to request "the name, address, length of service, and local and long distance toll billing records of a person" (emphasis added) under specific circumstances. To ask for information about a subject's community of interest, the FBI would have to issue a properly certified NSL for each person in the community. The NSL provision of ECPA (Section 2709) was just declared unconstitutional by a federal judge in a terrific case brought by the ACLU (with EFF amicus support), but even if the statute was still valid, it wouldn't have allowed this.

Most of the "community of interest" letters also formalistically recited that the requests would be followed by formal legal process, envisioning an after-the-fact papering over of the illegality. However, the IG report noted that this follow-up often never happened, and the "FBI was unable to determine whether [National Security Letters] or grand jury subpoenas were issued to cover the exigent letters."

For those keeping score, a grand jury subpoena would not validate the government's request for a "community of interest" either. Section 2703(c)(2) sets forth a detailed list of information the government can obtain from telecoms with a grand jury subpoena, such as the customer's name, address, and means of payment. This list does not include the customer's community of interest.

In short, there is no legal basis for these "community of interest" demands, whether issued as exigent letters, or through an NSL or grand jury subpoena.

This is a sensible rule. Anyone who's played "Six Degrees of Kevin Bacon" or looked over their relationships on a social networking service knows what a wide variety of people can be just a few degrees of separation away. For example, I know people who know Attorney General Gonzales -- but I'd hate to be caught up in an investigation of the soon to be former AG just because I'm two degrees away.

These revelations also underscore the need for substantive oversight that will prevent requests for information that go beyond that allowed by law. After detailing years of abuse in his March report, the Inspector General is continuing to investigate the misuse of exigent letters and National Security Letters. These revelations about the FBI echo those we've all heard about the NSA conducting warrantless wiretaps and dragnet records and content surveillance that went undiscovered for over five years.

The Administration still thinks it can convince the American public to let the FBI and NSA police themselves. In the wake of the Inspector General's report, the FBI has insisted that it can be trusted to fix its own habitual NSL misuse. Asked about "community of interest" letters yesterday, Fran Townsend, the President's homeland security advisor, pointed only to the bare existence of a "privacy and civil liberties officer" and a newly created "compliance unit" at the FBI -- conspicuously avoiding discussion of any outside oversight. The new Protect America Act similarly grants the Attorney General and Director of National Intelligence the right to "certify" broad surveillance techniques with no serious judicial oversight. While the Administration pushes "internal agency audits by the agencies using this authority," the American people can accept no substitutes for independent judgment when freedom is on the line.

External oversight by Congress and the courts is vital to protecting the privacy and security of Americans. The courts have recently started indicating that they are up to the task. The NSL provision was found unconstitutional in the ACLU case was in part because of the extraordinarily deferential review process that would require the Judicial Branch to treat certain Executive certifications "as conclusive unless the court finds that the certification was made in bad faith."

Now that the Executive's abuses of its surveillance and spying powers have come clearly to light, it is unconscionable to allow the watchmen to keep watching themselves. A "privacy and civil liberties officer" in the FBI was not enough to stop the illegal use of exigent circumstance letters to spy on a target's friends of friends, and the deferential review proposed by the Protect America Act will not be enough to prevent the abuse of the law's extraordinary powers.

Related Updates

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

The California Consumer Privacy Act (CCPA) requires the California Attorney General to take input from the public on regulations to implement the law, which does not go into effect until 2020. The Electronic Frontier Foundation has filed comments on two issues: first, how to verify consumer requests to companies for...

Ever since the Cambridge Analytica scandal last summer, consumer data privacy has been a hot topic in Congress. The witness table has been dominated by the biggest platforms, with those in lockstep with the tech giants earning the vast majority of attention. However, this week marked the first time that...

We urged the Florida Supreme Court yesterday to review a closely-watched lawsuit to clarify the due process rights of defendants identified by facial recognition algorithms used by law enforcement. Specifically, we told the court that when facial recognition is secretly used on people later charged with a crime, those...

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s...

In back-to-back hearings last week, the House and the Senate discussed what, if anything, Congress should do about online privacy. Sounds fine—until you see who they invited. Congress should be seeking out multiple, diverse perspectives. But last week, both chambers largely invited industry advocates, eager to...

San Francisco - Technology is supposed to make our lives better, yet many big companies have products with big security and privacy holes that disrespect user control and put us all at risk. The Electronic Frontier Foundation (EFF) is launching a new project called “Fix It Already!” demanding repair...

Today we are announcing Fix It Already, a new way to show companies we're serious about the big security and privacy issues they need to fix. We are demanding fixes for different issues from nine tech companies and platforms, targeting social media companies, operating systems, and enterprise platforms on...

Update, 2:35 p.m.: The coalition of groups behind Privacy for All has grown since time of publishing. This update reflects the latest count. Privacy is a right. It is past time for California to ensure that the companies using secretive practices to make money off of our personal information treat...